[selinux-policy: 225/3172] cleanup inspired by sediff
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:24:25 UTC 2010
commit 32e53ac1b80ea98c00a4eb83f1beb4a662c08f3a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 27 21:56:01 2005 +0000
cleanup inspired by sediff
refpolicy/policy/modules/admin/rpm.te | 19 +++----
refpolicy/policy/modules/admin/usermanage.te | 11 ++--
refpolicy/policy/modules/kernel/devices.if | 70 +++++++++++++++++++++++++
refpolicy/policy/modules/system/hostname.if | 47 +++++++++++++++-
refpolicy/policy/modules/system/userdomain.if | 5 ++
refpolicy/policy/modules/system/userdomain.te | 42 +++++++++++++--
6 files changed, 167 insertions(+), 27 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 5684eab..fd03d14 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -254,6 +254,12 @@ kernel_compute_selinux_relabel_context(rpm_script_t)
kernel_compute_selinux_reachable_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t)
+# ideally we would not need this
+devices_manage_generic_block_devices(rpm_script_t)
+devices_manage_generic_character_devices(rpm_script_t)
+devices_manage_all_block_devices(rpm_script_t)
+devices_manage_all_character_devices(rpm_script_t)
+
filesystem_manage_nfs_files(rpm_script_t)
filesystem_get_nfs_filesystem_attributes(rpm_script_t)
# why is this not using mount?
@@ -274,6 +280,7 @@ authlogin_manage_all_files_except_shadow(rpm_script_t)
corecommands_execute_general_programs(rpm_script_t)
corecommands_execute_system_programs(rpm_script_t)
+domain_read_all_domains_process_state(rpm_script_t)
domain_use_widely_inheritable_file_descriptors(rpm_script_t)
domain_execute_all_entrypoint_programs(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
@@ -310,24 +317,12 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
-# ideally we would not need this
-allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
-
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
allow rpm_script_t autofs_t:dir { search getattr };
can_ypbind(rpm_script_t)
-allow rpm_script_t domain:dir { search getattr read };
-allow rpm_script_t domain:{ file lnk_file } { read getattr };
-allow rpm_script_t domain:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit rpm_script_t domain:process ptrace;
-
optional_policy(`automount.te', `
allow rpm_script_t autofs_t:dir { search getattr };
')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 1480a75..2b869a8 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -298,9 +298,6 @@ devices_get_pseudorandom_data(passwd_t)
filesystem_get_persistent_filesystem_attributes(passwd_t)
-terminal_use_all_private_physical_terminals(passwd_t)
-terminal_use_all_private_pseudoterminals(passwd_t)
-
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_script_ignore_modify_runtime_data(passwd_t)
@@ -320,7 +317,10 @@ miscfiles_read_localization(passwd_t)
authlogin_manage_shadow_passwords(passwd_t)
ifdef(`TODO',`
-role sysadm_r types passwd_t;
+
+ifdef(`firstboot.te',`
+domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
+')
# Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@@ -340,7 +340,7 @@ allow passwd_t shell_exec_t:file execute;
# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
-in_user_role(passwd_t)
+
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read;
@@ -356,7 +356,6 @@ allow passwd_t crack_db_t:file r_file_perms;
', `
dontaudit passwd_t var_t:dir search;
')
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
') dnl endif TODO
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 3d2c5e4..51fab1f 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -220,6 +220,38 @@ class blk_file { getattr read write ioctl };
########################################
#
+# devices_manage_generic_block_devices(domain)
+#
+define(`devices_manage_generic_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`devices_manage_generic_block_devices_depend',`
+type device_t;
+class dir { getattr search read };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# devices_manage_generic_character_devices(domain)
+#
+define(`devices_manage_generic_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+define(`devices_manage_generic_character_devices_depend',`
+type device_t;
+class dir { getattr search read };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
# devices_create_dev_entry(domain,file,objectclass(es))
#
define(`devices_create_dev_entry',`
@@ -326,6 +358,44 @@ class chr_file setattr;
########################################
#
+# devices_manage_all_block_devices(domain)
+#
+define(`devices_manage_all_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+# these next rules are to satisfy assertions broken by the above lines.
+storage_raw_read_fixed_disk($1)
+storage_raw_write_fixed_disk($1)
+storage_read_scsi_generic($1)
+storage_write_scsi_generic($1)
+')
+
+define(`devices_manage_generic_block_devices_depend',`
+attribute device_node;
+class dir { getattr search read };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
+# devices_manage_all_character_devices(domain)
+#
+define(`devices_manage_all_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 memory_raw_read, memory_raw_write;
+')
+
+define(`devices_manage_all_character_devices_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+class dir { getattr search read };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
+#
# devices_raw_read_memory(domain)
#
define(`devices_raw_read_memory',`
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 19e1466..e7ec93d 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,8 +1,17 @@
# Copyright (C) 2005 Tresys Technology, LLC
+## <module name="hostname" layer="keyservices">
+## <summary>Policy for changing the system host name.</summary>
-#######################################
-#
-# hostname_transition(domain)
+########################################
+## <interface name="hostname_transition">
+## <description>
+## Execute hostname in the hostname domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
#
define(`hostname_transition',`
requires_block_template(`$0'_depend)
@@ -18,6 +27,36 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh };
')
+########################################
+## <interface name="hostname_transition_add_role_use_terminal">
+## <description>
+## Execute hostname in the hostname domain, and
+## allow the specified role the hostname domain.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## <parameter name="role">
+## The role to be allowed the hostname domain.
+## </parameter>
+## <parameter name="terminal">
+## The type of the terminal allow the hostname domain to use.
+## </parameter>
+## <infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`hostname_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+hostname_transition($1)
+role $2 types hostname_t;
+allow hostname_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`hostname_transition_add_role_use_terminal_depend',`
+type hostname_t;
+class chr_file { getattr read write ioctl };
+')
+
#######################################
#
# hostname_execute(domain)
@@ -31,3 +70,5 @@ define(`hostname_execute_depend',`
type hostname_exec_t;
class file { getattr read execute execute_no_trans };
')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 84c3f5a..882fa9f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -205,6 +205,11 @@ if (user_ttyfile_stat) {
terminal_get_all_private_physical_terminal_attributes($1_t)
}
+optional_policy(`usermanage.te',`
+usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+')
+
ifdef(`TODO',`
# When the user domain runs ps, there will be a number of access
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index b47b421..c816dd9 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -75,6 +75,7 @@ bool user_tcp_server false;
# Allow w to display everyone
bool user_ttyfile_stat false;
+admin_domain_template(sysadm)
user_domain_template(staff)
user_domain_template(user)
@@ -83,18 +84,38 @@ user_domain_template(user)
# Local policy
#
-#allow privhome home_root_t:dir { getattr search };
+# user role change rules:
+define(`role_change',`
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+# sysadm_r can change to user roles
+role_change(sysadm, user)
+role_change(sysadm, staff)
+
+# only staff_r can change to sysadm_r
+role_change(staff, sysadm)
+
+tunable_policy(`user_canbe_sysadm',`
+role_change(user,sysadm)
+')
+
+ifdef(`TODO',`
+allow privhome home_root_t:dir { getattr search };
# Add/remove user home directories
-#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+')
########################################
#
# Sysadm local policy
#
-admin_domain_template(sysadm)
-
# for su
allow sysadm_t userdomain:fd use;
@@ -102,6 +123,14 @@ optional_policy(`bootloader.te',`
bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
+optional_policy(`clock.te',`
+clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`hostname.te',`
+hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
@@ -142,6 +171,7 @@ optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
-optional_policy(`clock.te',`
-clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`usermanage.te',`
+usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
')
More information about the scm-commits
mailing list